• 4
name

So I have migrated OpenVPN server which seems simple enough, I just copied /etc/openvpn/* to the new server.

But, when I generate keys, I'm getting an error when client is connecting. I am able to successfully connect when I use my old ca.crt.

I have a few related simple questions..

  1. Is the ca.crt the same file that all our clients get, or is it generated per user? (I'm under the impression its the same file for each client, but i'm not 100%)
  2. I usually generate 3 files

    client.csr
    client.crt
    client.key
    

Inside of the .ovpn config file, it ask's for

ca.crt
client.crt
client.key

3. Which files does the client get that are Generated on a per-user bases, and which of those 3 files would that normally be?

I'm a little confused as to which files I need, I've done this for myself a long time ago, but now I'm being asked to do it on a grander scale and need a big more thorough understanding then, "it works".

What I think i've done in the past is rename client.csr to client.ca, but I could be wrong.

There is a ca.crt in the root of /etc/openvpn/ but it doesn't work! But, it looks like I have another entire certs tree that was abandonded under /etc/openvpn/techsupport/, but it hasn't been used since 2011! There is a ca.crt in there as well I need to try.

I'm not 100% this is correct, so please let me know if its not, I don't want to spread misinformation, but I found a decent source for my hypotheses/answer.

I technically create 4 files when I use

./build-key-pass

Id.pem = where Id is the index number
client.crt = Clients Cert
cleint.key = client Key
client.csr = Client Signing Request

The Client gets the following :

clients:
   ca.crt           CA's public certificate
   ClientXXXX.crt   The client certificate
   ClientXXXX.key   The client key

Once the CSR is created/signed, it can be deleted (based on my reading here)

The ID.pem is used for later revocation, sort of a file based database system. The two files you need are client.crt and client.key and then the "public CA.crt" which to mean means it has 2 qualities.

It is not secret, and it is deployed with all Open-VPN-Key pairs.

So my issue is that I have been using an incorrect ca.crt found in the /etc/openvpn/* directory, and I should archive it along with the apparently abanded /techsupport and then re-create the ca.crt on the server so that this confusion doesn't happen again.

After comparing my ca.crt with a co-workers, this seems the logical choice.

A final note:

  • Is the file ca.crt in /etc/openvpn/ used for anything or is that just a logical place to put it for storage?

[UPDATE] with regards to my final note, I noticed there is a ca.crt inside /certs/keys/ which is the one that I have locally. Again, my question is, does the ca.crt in /etc/openvpn/ do anything, should it be removed/replace with the one from /keys/ my thought is that it is from an old setup/config?

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags